1

Bit of a newb when it comes to this but I'm giving it a go and, so far, things work but I hope I'm doing it in a correct manner and a couple of little hiccups...

HQ has a SBS2011E DC (DC1) that provides DHCP and DNS to a small network (IP: 192.168.10.11). Internet modem/router is gateway (192.168.10.1). DHCP is configured in 80/20 split-scope configuration (192.168.10.100 - 192.168.10.200).

New office has similar set up. Windows Server 2012 Standard (DC2) that also provides DHCP and DNS (DC2 IP: 192.168.10.12). DC2 - at the moment - is located at HQ whilst it is being configured. It has been domain joined and DCPromo'd so it is replicating and seems to work so far. I have run the DHCP split-scope wizard on DC1 for an 80/20 split. These settings have replicated onto DC2 so it is aware of what IPs it can and cannot serve. Internet modem/router is gateway - can I set this to a similar static IP as the HQ gateway, e.g. 192.168.10.2?

An issue I have run into is that when I restart DC1 it complains that an existing DHCP server is on the network and the DHCP Server service on DC1 stops. I have read that with SBS in particular that it does not like other DHCP servers to be on the same subnet, even though I have configured a split-scope? It is fully aware that the other DHCP server won't serve addresses in the range it offers because the wizard ran successfully?! As a temporary fix for this I found a registry entry (DisableRogueDetection) that has been applied to DC1 - but I do not want to rely on this because it is not a "natural" solution.

Why a split-scope? Why not? Our intention is to move DC2 to our remote site where a hardware VPN will join the two networks. I would like for the two servers to be able to help the entire network for file shares, DHCP and DNS. As a result of this I would like for DHCP requests to traverse the VPN (just in case any of the servers are down). The split-scope DHCP, I have read in many locations, should allow for precisely what I am intending? I could then have the entire network use a logical range.

If the split-scope is going to cause problems then I can revert to different ranges for the two servers.

Can I have the hardware VPN use end-point IPs that are within my subnet range? The device is a Draytek all-in-one router/VPN etc. so it has been configured as the gateway and I can get to the web interface using 192.168.10.1 so I would like to be able to get to the other end-point device (another Draytek if I can) by a similar IP (such as 192.168.10.2)...

My "idea" of a network configuration:

enter image description here

Edit 1: I guess my questions are:

  1. If I want to use the two DHCP servers serve a split-scope then am I safe to continue using the SBS 2011 Essentials registry hack to make it ignore rogue DHCP servers on the network - because it DOES have two? The routers would be configured to allow DHCP requests across the VPN so if one DHCP server is down, the other can still respond.
  2. Would a network configuration as to my picture work? I am trying to get advice before I turn up at the remote office for it to not work!
  3. Can I set my VPN routers to have the IP's as per my picture so that they can be part of the network and managed using addresses within a logical range? Obviously I'm not asking how to configure them, I know this; but the IPs they would be given within the tunnel is what I'm asking.
Kinnectus
  • 260
  • 1
  • 11
  • `1.` The SBS rogue DHCP detection mechanism was intended to ensure that no other DHCP server exists on the same segment. If you need to disable that then go ahead. I don't see that as impacting any other function of SBS or the domain. `2.` As for the "split of the scope", the 80/20 rule is generally suggested but I use a 50/50 split. – joeqwerty Feb 12 '15 at 04:38

2 Answers2

0

Don't understand exactly what you need to know (and where is the question)but if i understand a few: use dhcp relay. How to do that : https://technet.microsoft.com/en-us/library/cc771390.aspx

YuKYuK
  • 627
  • 3
  • 14
  • Thanks YuKYuK, I've updated my question. Ideally, because of the nature of a split-scope DHCP then a relay (and the fact I've got a DHCP server at both sites) wouldn't be necessary, right? – Kinnectus Feb 11 '15 at 15:07
  • Hum i think its a good idea to block vpn to diffuse dhcp. And do a real dhcp split : one site : range 50-150 and other one : 150-250 . Or you use one dhcp server and relay on the other site . With two dhcp you don't have ip conflict on dhcp client ? – YuKYuK Feb 11 '15 at 15:45
  • I'm just confused as to why a relay should be needed when a split-scope means neither server are overlapping addresses and I've got redundancy across the network if one or the other fails...? – Kinnectus Feb 11 '15 at 16:06
  • YOur schematics don't show a split scope but a conflit scope :) . Check here for why dhcp relay is a good idea and when you must use multiple dhcp server : http://blogs.technet.com/b/teamdhcp/archive/2012/09/05/multi-site-deployment-topologies-for-dhcp-failover.aspx – YuKYuK Feb 11 '15 at 16:19
  • Yeah, I was trying to quickly come up with a diagram so i wrote "split-scope" instead... probably quite confusing. The split-scope has been configured on DC1 and has replicated to DC2 so they DON'T overlap... sorry to confuse... – Kinnectus Feb 11 '15 at 16:26
0

Don't do this. The setup you illustrate is an over-complicated and failure-prone network configuration. In order for it to even appear to work correctly you'd have to bridge the networks which mean that all your broadcast traffic would have to traverse the WAN, which would likely be a disaster.

Use a separate subnet for each site.

I'm also confused as to why you have dived into split-scope DNS. "Why not?" is not good enough, Keep It Simple Stupid. Switching on DHCP on the router or another server in the event of loss of your DHCP server is so trivially simple that it makes no sense to try and build complex redundancy for it.

BlueCompute
  • 2,954
  • 2
  • 19
  • 28
  • Thanks for this, BlueCompute. I'm sure I haven't delved into split-scope DNS... it's just the split-scope DHCP. I hear what you say about broadcast traffic going over the WAN. However, why would a split-scope DHCP feature be on offer if the best advice is to use separate subnets? Ideally I wouldn't want to turn on DHCP on the router in the event of failure when I have the possibility of a Windows Server-based DHCP server failover mechanism? Why would MS go down this route if it wasn't a solution? I would like to keep it simple, of course, but if a feature is advertised then "why not"? – Kinnectus Feb 11 '15 at 17:07
  • Split-scope DHCP is for 2 DHCP servers on one LAN. It's not for two separate LANs. You're confused about the purpose of the feature. If you want redundant DHCP across two sites you do it like this, with seperate subnets and scopes: http://blogs.technet.com/b/teamdhcp/archive/2012/09/05/multi-site-deployment-topologies-for-dhcp-failover.aspx – BlueCompute Feb 11 '15 at 23:25
  • Read the page and it clearly says about multiple sites failover. I don't want to get confusion between the capabilities of my server versions, but how, then, would one use the Server 2012 DHCP Hot Standby as it clearly says that the hot standby server would have the scopes of the other server in the event of that server going down. There's also pictures of different sites (separate LANs). This would still require the site-to-site connectivity and the DHCP traffic over the WAN in the event of a local failure. This is my point...? Thanks for your help again :) – Kinnectus Feb 12 '15 at 08:12
  • Don't get me wrong, I understand the need for different subnets and will use this. Hmm, I'm starting to see the error of my ways lol... – Kinnectus Feb 12 '15 at 08:50